Lyceum APT made the headlines with attacks in Middle East

A recently reported APT group dubbed Lyceum group targets Oil and Gas organizations in the Middle East with simple techniques.

The activity of the Lyceum APT group was first documented earlier in August by researchers at ICS security firm Dragos that tracked it as Hexane.

Security experts at Dragos Inc. reported that Hexane is targeting organizations in the oil and gas industry and telecommunication providers.

According to Dragos, the Hexane group has been active since at least the middle of 2018, it intensified its activity since early 2019 with an escalation of tensions within the Middle East.

Now experts at SecureWorks released a new report on Lyceum’s techniques, tactics, and procedures. The Lyceum APT group aims at intelligence gathering on its targets and doesn’t appear interested in sabotage.

Lyceum was observed using password spraying and brute-force attacks to compromise email accounts of targeted individuals.

“LYCEUM initially accesses an organization using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware, which subsequently deploys post-intrusion tools.” reads the report published by SecureWork.

The threat actors carried out spearphishing attacks using weaponized Excel attachments to deliver the DanBot malware. LYCEUM delivers bait documents via spearphishing messages from the compromised accounts to the targeted executives, human resources (HR) staff, and IT personnel. 

“A malicious document (maldoc) that was uploaded to an online virus scanning repository in May 2019 contains the phrase “Industrial Systems Control Programming”. A superficial analysis of the document content might conclude that this document was intended for individuals working with industrial control systems (ICS) or operational technology (OT).” continues the analysis. “However, the true content of this document is a training schedule spanning multiple departments, with ICS being first on the list.  This focus on training aligns with LYCEUM’s targeting of executives, HR staff, and IT personnel. “

DanBot is used as first-stage remote access trojan (RAT) that is used to subsequently deploys post-intrusion tools. The malware uses DNS and HTTP-based communication mechanisms. DanBot is delivered using a VBA macro embedded in an Excel XLS file dubbed DanDrop.

Another tool used by the group is kl.ps1 that is a PowerShell-based keylogger.

The group also used the ‘Decrypt-RDCMan.ps1,’ that is a password decryption tool included in the PoshC2 framework for penetration testing. The tool is used to gather and decrypt passwords stored in the configuration file of the RDCMan remote desktop connection manager.

Lyceum attackers also used another PowerShell script dubbed ‘Get-LAPSP.ps1’ that collects data from the Active Directory via LDAP. Attackers used this tool once compromised the initial target.

Experts pointed out that Lyceum does not use sophisticated hacking techniques. Even if the threat actors appear to be focusing its campaign on industrial control systems (ICS) and operational technology (OT) staff, experts warn that the group could target other industries in the future.

“LYCEUM is an emerging threat to energy organizations in the Middle East, but organizations should not assume that future targeting will be limited to this sector. Critical infrastructure organizations in particular should take note of the threat group’s tradecraft. Aside from deploying novel malware, LYCEUM’s activity demonstrates capabilities CTU researchers have observed from other threat groups and reinforces the value of a few key controls.”concludes the report. “Password spraying, DNS tunneling, social engineering, and abuse of security testing frameworks are common tactics, particularly from threat groups operating in the Middle East.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Lyceum, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]